Apple’s iCloud is secure; weak passwords and gullible users are not

“The week before a crucial launch of its new iPhone, Apple Inc said intimate photos of celebrities including Oscar-winner Jennifer Lawrence were leaked online through the apparent hacking of individual iCloud accounts,” Edwin Chan and Christina Farr report for Reuters.

“Apple rushed to restore confidence in its systems’ security, saying the celebrity photo scandal that also ensnared swimsuit model Kate Upton, actress Kirsten Dunst and possibly dozens more was the result of targeted attacks on accounts storing personal data and not a direct breach of Apple systems,” Chan and Farr report. “‘We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet,’ Apple said in a statement. ‘None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find My iPhone.'”

“The celebrity hacking that came to light over the long Labor Day weekend nevertheless ranks among the highest-profile public fiascos for Apple in recent years. Regardless of how the leaking of nude celebrity photos actually happened, the timing could not have been worse for Apple as it prepares to launch a new iPhone next week,” Chan and Farr report. “Cybersecurity experts say the perpetrators possibly gleaned the celebrities’ email addresses and mounted a long-term phishing attempt – a relatively straightforward attack through which hackers gain access to users’ accounts by getting them to click on a compromised URL or Internet link.”

Read more in the full article here.

MacDailyNews Take: The problem, beyond those who click links in emails willy-nilly, is that too many people use one password for multiple services and weak passwords at that. Once hackers guess it, they then have access to all sorts of things: cloud storage, bank accounts, Facebook, Twitter, email, etc.

Regardless of the origination of these photo and videos, social engineering hacks can be thwarted, at least for iCloud. Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.

As we’ve written before: Always use unique passwords and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, it works like a dream.

Related articles:
Apple: No iCloud breach in celebrity nude photos leak – September 2, 2014
FBI, Apple investigating alleged iCloud hack of celebrity nude, sex photos and videos – September 2, 2014
Celebrity or not, Apple isn’t responsible for your nude photos – September 2, 2014
Apple ‘actively investigating’ Jennifer Lawrence, other nude celebrity photos hack – September 1, 2014
Apple’s iCloud not likely the sole source of leaked Jennifer Lawrence, other nude celebrity photos and videos – September 1, 2014

45 Comments

          1. Doesn’t sound plausible. Your SIM must receive the SMS. You can receive the SMS only on your Mac because the new iMessage will use BTLE technology to relay your iMessage messages (including SMS) from your phone to the desktop.

  1. I’m not terribly security conscious, but even I know to keep my passwords unique. And I have separate email address for personal life and ones I give to companies that sell me stuff, and no-one (except my wife and Apple) knows our iCloud email address. Oh. And any naked pictures we may (or may not) have made aren’t backed up on the cloud 🙂

  2. I appreciate the lesson Jennifer Lawrence had to learn.
    I guess this will be the shook up the world-wake up call to think about security, privacy and about passwords algorithms and of what to share and what not BUT most of it:

    How secure is your password ?

    Does it contain at least one symbol / special character, upper AND lower case letters and numbers as well?

    Here is one litte advice

    Don’t choose simple passwords like “1qaz+wsy”
    or “jenny123”

    To be safer think different:
    Example, choose every first letter of each word of this easy to remember sentence:
    “The first movie I got an Oscar for was the Hunger Games” =
    TfmIgaOfwcTHG would not be too bad, right?

    To make it even more safe you make some changes here:
    TfmIga04wc”THG”

    thats pretty easy to remember and much safer!

    Go another step further like:

    Tfm>Iga04<wc"THG"

    Pretty hard to hack, if you are not Jennifer Lawrence, because this password sentence itself is too obvious on her account 😉 So Jenny, how about:

    "When the world is running down, you make the best of whats still around"
    I guess we will see Jennifer very soon in another blockbuster movie and of course not only the guys will love her still very much as an outstanding beauty an actress !

    Another good advice is:
    Do not use your iCloud password somewhere else !

    your smartphone has become an important part of your privacy and this has to be protected well, don't you forget it !

    1. Thank you for your excellent and helpful post. I’ve read a lot of chuckling at the victims of these attacks because they are celebrities. But they are victims, regardless of whether they used strong, unique passwords and two-factor authentication – or not.

      The point here, one you made so well, is that all of us should learn from these attacks. My hunch is that the celebrities were victims of a targeted spear phishing attack. Sadly, these are becoming more sophisticated, and are often used by foreign intelligence agencies or high level hackers to gain access to corporate and government networks through carefully crafted emails with links. It could happen to all of us.

      Your suggestions are ones we should re-read, regardless of whether we practice them or not. Criminals are crafty and motivated. We have to stay a step ahead. I’m disgusted that the victims of this hack were all women, likely the target of a basement-dwelling script kiddie loser.

      Karma works slowly, but eventually, it will.

  3. Password security is a good answer, but the elephant in the room is “How stupid can you be to take nude photos of yourself when you’re a public figure?” Duhhh…

    1. I know what you mean, but don’t you think she just wants to be an average person doing stupid things from time to time, especially when you feel safe with Apples ecosystem ?

      She’s got curves man, and you know what? I would take naked selfies the whole day if I where in her shoes!

  4. browsing the web the pundits are STILL trying to twist it as apple’s fault (as they were bashing apple all through the weekend based on fact-less Apple hate suppositions ). Apple bashing gets more page hits than a bland: ‘not apple’s fault’.

    If Apple came up with a device easily used by the BLIND , pundits will headline “With New Product Apple Again IGNORES the DEAF!”.

    1. Yeah, already I’ve seen quite a number of “Why would I deal with Apple mobile payments after iCloud has been hacked.” Stupid for two reasons. One is that iCloud was not hacked and mobile payments using a fingerprint and a AX Secure Enclave processor would be a huge difference. No matter. If people are looking for reasons to fault Apple and can’t find them, then they’ll just make up some reasons of their own.

      The news media grabs an article and then repeats it endlessly without ever checking the facts. All of them busting their asses to get attention. If Apple says they’re not at fault, then there will be some articles saying Apple is simply trying to cover up their breach. That’s how it is.

  5. Phishing attacks are a part of the problem, and they are getting worse. While I can spot phishing pages, they can look identical to log in pages, that I don’t one has to be totally gullible to type their password into one.

  6. Look at MDN trying to tow the Apple line. Of course icloud was compromised. I’d expect nothing less from the Tim “the steward” Cook’s rotting Apple. That’s right blame the users. It is never Apple’s fault. They are blameless and innocent and can never be blamed for anything.

Leave a Reply to Now, Now... Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.